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ABSTRACT 


v;: 


Fault  tree  analysis,  which  has  proved  to  be  a 
useful  analytical  tool  for  the  reliability  and  safety 
analysis  of  complex  systems,  is  applied  to  the  Naval 
Postgraduate  School  Mini -Satel 1 i te  (ORION).  A  general 
background  to  reliability  analysis,  fault  tree 
analysis,  and  fault  tree  construction  is  given.  Impact 
of  a  phased  mission  is  included  in  the  analysis.  A 
fault  tree  for  ORION  is  constructed  and  used  to 
identify  minimal  cut  sets  and  minimal  path  sets.  The 
cuts  sets  and  path  sets  are,  in  turn,  used  to  calculate 
an  estimate  of  ORION’S  reliability  to  perform  a  three 
year  mission.  The  reliability  model  was  constructed  in 
a  Lotus  1-2-3  spreadsheet  to  enable  the  designers  to  do 
"what-if"  analysis. 
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I .  INTRODUCTION 


A.  GENERAL  BACKGROUND  AND  PURPOSE 

The  Naval  Postgraduate  School  Mini -Satel 1 1 te 
(subsequently  referred  to  as  ORION)  is  an  actual 
engineering  effort  by  the  students  and  faculty  of  the 
Naval  Postgraduate  School  to  produce  a  low  cost,  multi¬ 
purpose  satellite.  The  focus  of  this  thesis,  as  a 
portion  of  that  effort,  is  to  derive  a  fault  tree  for 
ORION  and  assist  in  its  design  by  identifying  weak 
links  in  its  system  reliability.  The  format  of  the 
thesis  is  intended  to  make  the  results  of  this  analysis 
readily  accessible  to  colleagues  to  facilitate  the 
design  and  construction  of  ORION. 

B.  SATELLITE  OVERVIEW 

ORION  is  an  alternative  concept  for  low  cost 
military  spaceflight.  It  is  designed  to  be  an 

inexpensive,  reliable  satellite  bus  that  can  be  mission 
specific,  yet  maintain  a  flexible  architecture.  The 
mission  payloads  can  vary  from  50  lbs.  to  130  lbs.  and 

are  designed  for  a  mission  life  of  three  years.  Due  to 

its  simplistic  design,  ORION  includes  very  little 

redundancy . 

1 .  Objectives  of  ORION 

ORION  is  designed  with  eight  objectives  in 
mind.  They  are: 

a.  to  satisfy  many  small  mission  needs  with  a  low 
cost,  reconf igurable  vehicle. 

b.  to  provide  an  affordable,  boosted-free  flyer  to 
complement  SPARTAN  and  SPAS1. 


1 SPARTAN  and  SPAS  are  existing  experimental 
platforms  used  by  the  Shuttle.  They  are  on  station  as 
long  as  the  Shuttle  is  on  station. 


c.  to  achieve  circular  orbits  from  135  nm  (nautical 
miles)  to  800  nm  with  propellant  reserve. 

d .  to  achieve  elliptic  orbits  to  2200  nm  with  a 
perigee  of  135  nm. 

e.  to  have  a  longer  life  at  Shuttle  altitude  than 

SPARTAN . 

f.  to  provide  an  affordable  platform  for  space 
science,  space  technology,  and  military  missions. 

g.  to  provide  a  cost  effective  bus  for  constellation 
prol i feration . 

h.  to  be  dependable  and  affordable. 

2 .  ORION  Main  Subsystems 

For  purposes  of  management  and  design,  ORION 
can  be  separated  into  seven  subsystems.  The  subsystems 
are : 

a.  the  propulsion  subsystem. 

b.  the  electrical  power  subsystem. 

c.  the  data  storage  subsystem. 

d.  the  telemetry  subsystem. 

e.  the  thermal  control  subsystem. 

f.  the  attitude  control  subsystem. 

g.  the  computer  subsystem. 

The  reliability  analysis  focuses  on  how  the 
subsystems  interrelate.  As  an  example,  all  the 
subsystems  require  the  electrical  power  subsystem  to 
work.  These  dependency  relationships  are  developed  and 
displayed  in  the  fault  tree. 


3.  Possible  Military 


>1  ications 


Due  to  ORION’S  objectives  and  simplistic 


design,  there  are  several  apparent  military 
applications.  Some  of  those  applications  include: 


a.  proliferated  platforms  for  communication. 

b.  ultraviolet  sensor  platforms. 
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c.  high  energy  particle  detectors. 

d.  targeting  laser  or  KE  (kinetic  energy) 

weapons,  reentry  vehicle  simulator,  or  kill 

assessment . 

e.  low  cost  imaging  platforms. 

C.  ORGANIZATION 

This  chapter  provides  some  background  to  ORION  and 
its  possible  applications.  Chapter  II  gives  a  short 
background  of  reliability  analysis.  Chapter  III  follows 
with  a  description  of  fault  tree  analysis.  Chapter  IV 
contains  the  applications  of  a  fault  tree  analysis  to 
ORION.  The  final  chapter.  Chapter  V,  states  the 
conclusions,  recommendations,  and  suggestions  for 
further  research. 

D.  SUMMARY 

The  primary  benefit  of  this  analysis  has  been  to 
aid  in  the  design  of  ORION.  This  was  accomplished  by 
identifying  82  minimal  cut  sets.  Of  these  cut  sets  22 
are  single-element  sets,  29  are  double-element  cut 
sets,  27  are  three-element  cut  sets,  2  are  five-element 
cut  sets,  1  is  a  six-element  cut  set  and  1  is  an 
eleven-element  cut  set. 

The  dual  tree  reveals  over  33  billion  distinct 
paths.  Using  modular  decomposition  this  number  is 
reduced  to  three  distinct  paths.  The  path  sets  were 
used  to  determine  the  structural  importance  of  each 
component . 

The  structural  importance  analysis  determined  seven 
different  levels  of  significance.  Twenty  components  are 
structurally  the  most  significant.  A  listing  of  them  is 
given  in  Appendix  C.  The  remaining  levels  and  their 
associated  components  are  listed  in  Chapter  IV. 
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The  reliability  importance  of  components  cannot  be 
determined  since  the  design  is  not  completely 
established.  A  Lotus  spreadsheet  was  developed  to  allow 
the  designers  to  do  a  "what-if"  analysis  with  component 
reliabilities  as  the  subsystems  are  developed. 
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II.  BACKGROUND  TO  RELIABILITY  ANALYSIS 


A  salesman  called  on  Steinway  &  Sons  to  show  them  a 
new  piano-key  pin.  "My  company  believes  this  aluminum 
pin  is  greatly  superior  to  the  pin  you  have  been 
using, "  he  said . 

Mr.  Steinway  deliberated  for  some  moments.  "Well, 
young  man,"  he  said  at  last,  "we  are  an  old  firm,  slow 
and  cautious  about  making  changes.  But  we  will  install 
your  pins  in  one  of  our  pianos  and  give  them  a  trial." 

The  salesman  was  delighted.  "That’s  good  enough  for 
me,"  he  said.  "How  long  a  trial  will  you  need?" 

"Oh,"  said  Mr.  Steinway  thoughtfully,  "I’d  say 
about  50  years."  [Ref.  1] 

A.  GENERAL 

Performing  the  mission  is  undoubtedly  the  best  test 
of  reliability.  However,  today’s  decision  makers  and 
analysts  rarely  have  Mr.  Steinway’s  luxury  of  time.  Not 
only  is  time  a  scarce  resource,  but  there  are  many 
cases  when  neither  the  system’s  working  or  living 
environment  nor  the  money  to  do  extensive  or  realistic 
reliability  tests  is  available.  With  such  constraints, 
other  methods  must  be  employed  to  estimate 
reliabilities  or  limits  on  reliabilities.  Reliability, 
in  the  sense  used  here  and  throughout  the  thesis,  is 
the  probability  of  a  device  performing  its  function 
adequately  for  a  specified  length  of  time  and  operating 
conditions.  Therefore,  the  purpose  of  reliability  or 
system  analysis  is  to  seek  out  those  reliabilities  or 
limits  on  reliabilities.  Within  that  pursuit,  there  are 
two  important  aspects  to  a  system  analysis:  (1)  an 


inductive  analysis  stage  and  (2)  a  deductive  analysis 
stage . 

During  the  inductive  analysis  stage,  available 
information  on  the  system  is  gathered  and  organized. 
The  system  is  then  defined,  its  functional  purpose  de¬ 
scribed,  and  its  critical  components  determined.  At 
this  stage,  the  question  is  posed  "What  can  happen  to 
the  system  as  a  result  of  component  failure  or  human 
error?"  Possible  system  failure  modes  are  then  hypo¬ 
thesized.  A  failure  modes  and  effects  analysis  is 
conducted  at  the  component  level.  Specifically,  a  list 
of  all  envisioned  mechanical  and  electrical  failure 
modes  is  generated.  This,  in  turn,  leads  to  a  critical 
components  list  including  assessed  failure  rates. 
Additionally,  it  is  veil  known  that  system  failures 
often  occur  at  subsystem  interfaces.  The  interfaces, 
therefore,  become  an  important  part  of  the  analysis 
along  with  the  components. 

The  deductive  analysis  of  a  system  or  reliability 
analysis  answers  the  question  "How  can  a  system  fail 
(or  succeed)  or  be  unavailable?"  A  logic  tree  (or  fault 
tree)  is  often  the  best  device  for  deducing  how  a  major 
system  failure  event  could  occur.  However,  its 
construction  depends  on  a  thorough  understanding  of  the 
system  and  the  results  of  the  system  inductive 
analysis.  A  block  diagram  or  a  network  graph  is  a 
useful  device  for  representing  a  successfully 
functioning  system.  Since  the  network  graph  is  close  to 
a  system  functional  representation,  it  cannot  capture 
abstract  system  failure  and  human  error  events  as  well 
as  the  logic  tree  representation.  [Ref.  2:  pp .  1-2] 

Also  during  the  deductive  stage  a  particular  method 
of  analysis  must  be  selected  and  employed.  Some  of 
those  methods  include:  fault  tree  analysis:  state  space 
approach:  decomposition  method;  circuit  stress 


13 


analysis;  network  reduction  technique;  block  diagrams; 
and  Monte  Carlo  simulation.  Each  has  its  advantages  and 
disadvantages.  The  primary  reason  fault  tree  analysis 
was  selected  is  that  ORION  is  still  in  its  design  stage 
and  fault  tree  analysis  is  particularly  beneficial  in 
developing  a  design. 

B.  PHASED  MISSIONS 

Phases  of  deployment  affect  a  satellite’s 
reliability.  A  phase  change  occurs  whenever  the  size  of 
the  set  of  active  components  changes.  Another  way  to 
look  at  this  is  to  say  the  functional  organization  of 
the  system  changes  with  time.  During  each  phase  of  the 
mission  the  system  must  accomplish  a  specified  task. 

A  phased  mission  profile  causes  complexities  not 
present  in  a  single-phase  system.  However,  it  can  be 
transformed  into  an  equivalent  synthetic  single-phase 
system.  This  refined  profile  can  then  be  used  to  derive 
an  approximation  of,  or  bounds  on,  mission  or  satellite 
rel iabil ity . 

It  is  Inappropriate  to  do  a  standard  reliability 
analysis  for  each  separate  phase,  and  then  multiply  the 
resulting  phase  reliabilities  together  as  if  they 
referred  to  independent  events.  The  implicit  assump¬ 
tion,  that  each  component  is  functioning  at  the 
beginning  of  a  phase  when  the  system  has  functioned 
throughout  the  previous  phase.  Is  not  necessarily  true. 
[Ref.  3:  pp .  11,  12]  A  component  must  have  survived  the 
first  n-1  phases  before  it  can  function  in  the  nth 
phase.  Additionally,  through  the  sequence  of  phases,  a 
component  or  set  of  components  may  be  turned  on  and  off 
several  times  during  the  first  n-1  phases  before  it  is 
needed  during  the  nth  phase.  These  are  all  reasons 
the  phase  reliabilities  cannot  be  merely  multiplied 
together  to  obtain  an  overall  system  reliability.  A 


.  .  %  % 


simple  example  follows  to  Illustrate  phased  mission 
analys i s . 

Example  2 . 1  A  system  with  two  independent 
components,  and  C2,  is  designed  for  a  two-phased 
mission.  In  order  for  the  system  to  perform  the 
required  tasks,  at  least  one  component  has  to  function 
through  phase  1  and  both  components  have  to  function 
through  phase  2.  The  block  diagrams  for  this  syst<m  is 


phase  1 


phase  2 


For  k-1,2,  let  p^i  denote  the  probability  that 
component  Ck  functions  through  phase  1,  and  pk2  denote 
the  conditional  probability  that  component  Ck  functions 
through  phase  2,  given  that  it  has  functioned  through 
phase  1.  The  system  reliability  for  phase  1  is 
Pi  =  P11  +  P21  -  PllP21’  and  the  system  reliability  for 
phase  2,  given  that  both  the  components  have  functioned 
through  phase  1,  is  p2  P12P22-  Multiplying  these 

together  would  lead  to  the  mission  reliability 

P  -  (Pn  +  P21  "  PllP21  )P2lP22 


This  is  greater  than  the  correct  mission  reliability 


wh i ch  is 


PllPl2P2lP22 


since  mission  success  is  achieved  only  if  both  compo¬ 
nents  function  through  both  phases.  [Ref.  3:  pp.  12 


C.  MISSION  PROFILES 

An  additional  complication  to  phased  missions  is 
the  absence  of  an  exact  mission  profile  for  ORION. 
Since  ORION  is  designed  to  be  a  low-cost  general 
purpose  bus  for  an  electronics  package,  it  can  be 
employed  in  an  infinite  variety  of  profiles.  For 
purposes  of  this  analysis,  two  distinct  profiles  are 
analyzed. 

The  first  mission  profile  envisions  a  3 -axis 
stabilized  sensor  platform  that  does  not  experience  an 
orbit  change.  After  the  satellite  has  been  ejected  from 
the  canister  it  becomes  autonomous.  A  short  time  delay 
is  needed  before  ORION  begins  its  mission  profile.  The 
time  delay  is  necessary  to  insure  ORION  is  sufficiently 
away  from  the  Shuttle  before  it  becomes  active.  This 
profile  is  partitioned  into  five  phases.  They  are: 
activation 

antenna  boom  deployment 
establish  orientation 
re-orientation  (if  necessary) 
station  keeping 

The  purpose  of  the  activation  phase  is  to  "wake  up" 
ORION  and  conduct  internal  checks  to  Insure  ORION  is 
functioning.  The  antenna  deployment  phase  is  completed 
when  the  antenna  booms  are  locked  in  the  extended 
position.  The  specific  mission  of  the  orientation  phase 
is  to  establish  ORION’S  spatial  and  orbital  orienta¬ 
tion.  The  fourth  phase  may  or  may  not  occur.  If  it  is 
determined  that  ORION  is  not  properly  oriented  then  re¬ 
orientation  is  essential.  This  phase  Includes  any 
necessary  re-orientation  commands.  The  final  phase 
ensures  ORION  maintains  the  orblt(s)  specified  by  its 
mission  profile.  All  of  ORION’S  subsystems  are  required 
( l.e.  must  function)  to  perform  station  keeping  tasks. 


The  second  mission  profile  Is  for  a  spin  stabilized 
satellite  with  an  orbit  change.  Such  a  profile  is 
characteristic  of  a  communications  satellite.  This 
profile  has  nine  phases  with  the  same  four  initial 
phases  as  the  first  mission  profile  (i.e.  activation, 
antenna  boom  deployment,  orientation  and  re¬ 
orientation).  The  remaining  five  phases  are: 
orbit  boost 
orbit  fix 
orientation 

re-orientation  (if  necessary) 
station  keeping 

The  purpose  of  the  orbit  boost  phase  is  to  accelerate 
ORION'  out  of  its  low  earth  orbit.  The  orbit  fix  phase 
establishes  ORION’S  mission  orbit.  The  remaining  three 
phases  are  identical  in  purpose  to  the  final  three 
phases  of  the  first  mission  profile.  Again,  all  of 
ORION’S  subsystems  must  function  to  perform  station 
keeping  tasks. 

In  both  mission  profiles  (or  in  any  mission  profile 
generated)  the  last  phase  utilizes  all  of  the  satel¬ 
lite’s  subsystems.  Since  all  subsystems  are  needed 
during  the  last  phase,  the  phased  mission  analysis 
dictates  that  every  subsystem  must  survive  the  entire 
mission  life.  The  resulting  synthetic  single-phase  is 
all  the  subsystems  operating  in  series  during  the 
entire  length  of  the  mission. 


III.  FAULT  TREE  ANALYSIS  DESCRIPTION 


A.  BACKGROUND  TO  FAULT  TREE  ANALYSIS 

The  bulk  of  this  chapter  Is  a  compilation  of 
information  extracted  from  reliability  literature.  It 
is  included  here  only  to  give  the  reader  a  background 
to  the  fault  tree  reliability  analysis  performed  in 
this  thes i s . 

The  fault  tree  method  resulted  from  a  contract 
between  the  Air  Force  Ballistics  Division  and  Bell 
Telephone  Laboratories  for  the  study  of  an  inadvertent 
launch  of  the  Minuteman  ICBM.  The  Launch  Control  Safety 
Study  (1962)  first  described  fault  tree  analysis  in 
Volume  I  Section  VII  "Method  of  Inadvertent  Launch 
Control  Analysis."  Mlnutemm  I  was  in  production  when 
the  study  was  completed,  therefore  no  design  changes 
resulted  from  the  study  (effecting  design  changes  has 
become  a  primary  advantage  of  fault  tree  analysis). 
Because  the  results  of  the  analysis  were  so  close  to 
the  observed  data  of  Minuteman  I,  fault  tree  analysis 
was  used  during  the  design  phase  of  Minuteman  II.  Since 
then,  fault  tree  analysis  has  been  used  in  combination 
with  other  techniques  to  predict  and  Improve  safety 
performance  and  reliability  in  complex  aerospace  and 
military  systems. 

After  Initial  work  at  Bell  Telephone  Laboratories, 
development  of  the  fault  tree  method  continued  at  the 
Boeing  Company,  where  the  technique  was  applied  to 
manned  spacecraft.  Boeing  and  AVCO  published  fault  tree 
reports  on  the  Minuteman  II  system  in  March  1962,  and 
January  1964,  respectively.  In  June  1905.  Boeing  and 
the  University  of  Washington  co-sponsored  a  System 
Safety  Symposium  In  Seattle.  Five  <>f  the  presentations 


wore  fault  tree  articles  by  Boeing  employees.  A  paper 
by  A.  B.  Mearns  of  Bell  Telephone  Laboratories  also 
described  fault  trees.  These  six  papers  and  the  Launch 
Control  Safety  Study  are  the  main  references  cited  in 
articles  after  1965.  [Ref.  4:  p.  3] 

Fault  tree  analysis  consists  of  six  steps: 

1.  define  the  top  event  to  be  Investigated, 

3.  gain  an  understanding  of  the  system, 

3.  construct  the  tree, 

4.  collect  quantitative  data, 

5.  evaluate  the  probability  of  the  top  event, 
and 

b.  analyze  the  results. 

The  top  event  of  the  tree  should  be  well  defined  in 
terms  of  operating  modes  of  the  system,  environmental 
conditions  and  time  limits.  However,  the  failure  must 
represent  a  major  system  malfunction  which  threatens 
personnel  or  equipment. 

Generally  accepted  symbols  are  necessary  to 
represent  differences  in  events  and  logic  relationships 
since  the  fault  tree  is  graph ic  as  well  as  analytic.  In 
addition,  several  people  at  separate  locations  and  at 
different  times  may  contribute  to  the  analysis.  The 
fol lowing  sections  describe  events,  logic  gates  and 
special  symbo 1 s . 

Instead  of  being  hardware  oriented,  fault  tree 
analysis  is  event  or  failure  oriented:  that  is,  it 
examines  a  particular  system  failure  for  all  possible 
causes.  Control  of  the  system  failure  through  knowledge 
''f  its  causes  is  the  analysis  objective.  The  tree  is  a 
graphical  representation  of  possible  causes  of  a  major 
failure  which  appears  at  the  top  of  the  tree  (called 
the  top  event).  During  construction,  the  tree  grows 
downward  and  outward  as  failures  and  causes  are 
de scribed  in  increasing  detail.  When  the  tree  is 


completed,  probabilities  are  associated  with  the 
failures  lowest  on  the  tree.  The  bottom  events  concern 
failures  of  basic  components  which  can  be  associated 
with  probabilities.  The  assigned  probabilities  are 
combined  as  dictated  by  logic  gates  to  give 
probabilities  for  events  higher  on  the  tree.  The 
combination  of  probabilities  continues  until  the 
complex  top  event  has  a  probability  calculated  f rom  the 
accurate  component  data  at  the  bottom  of  the  tree.  In 
general,  fault  tree  analysis  involves  two  kinds  of 
reasoning:  the  thought  processes  involved  in 

construction  produce  a  downward  flow,  whereas  the 
evaluation  of  probability  and  operation  of  the  logic 
gates  dictate  an  upward  flow.  [Ref.  4:  pp .  1,6,7]  See 

Figure  3.1  for  an  example  of  a  fault  tree. 

B.  PURPOSE  OF  FAULT  TREES 

Generally,  fault  trees  serve  three  purposes. 

First,  they  aid  in  determining  the  possible  causes 
of  a  system  failure.  When  properly  used,  the  fault  tree 
often  leads  to  discovery  of  failure  combinations  which 
otherwise  might  not  have  been  recognized  as  causes  of 
the  top  event. 

Secondly,  they  serve  as  a  display  of  results.  If 
the  system  design  is  not  adequate,  the  fault  tree  can 
be  used  to  show  what  the  weak  points  are  and  how  they 
lead  to  undesirable  events.  If  the  design  is 

adequate,  the  fault  tree  can  be  used  to  show  that  all 
conceivable  causes  have  been  considered. 

Lastly,  they  provide  a  convenient  and  efficient 
format  helpful  in  the  compu t a t ion  of  the  probability  of 
•stem  failure.  [Ref.  5:  p.  10] 


Events 


C.  ASSUMPTIONS 

In  selecting  fault  tree  analysis  as  the  analysis 
tool,  some  assumptions  had  to  be  made.  Fault  tree 
analysis  requires  each  component  to  be  either  in  a  go 
or  no-go  status.  Typically,  a  spacecraft  has  functional 
states  which  are  considered  as  degraded.  During  the 
design  of  ORION,  subsystems  were  engineered  for  more 
than  just  their  design  envelope.  An  example  is  the 
propulsion  system.  More  fuel  than  an  extreme  mission 
profile  would  require  is  designed  into  ORION.  As  such, 
a  true  degradation  will  exist  in  the  working  environ¬ 
ment  (i.e.  fuel  is  used  throughout  the  mission  and  its 
tank  is  not  always  full),  and  the  propulsion  system  is 
considered  to  either  work  or  not  work. 

System  components  are  assumed  to  have  statistically 
independent  lives.  No  component  can  be  repaired  or 
replaced,  and  each  component  has  a  finite  life.  [Ref. 
6:  p.  10]  As  with  the  components,  only  two  states  of 
the  system  are  recognized,  functioning  or  failed.  It  is 
assumed  throughout  this  thesis  that  the  state  of  the 
system  (i.e.  functioning  or  failed)  is  completely 
determined  by  the  states  of  its  components. 

Each  component  will  be  tested  prior  to  installation 
and  again  after  Installation  to  Insure  the  system 
functions  properly.  The  total  test  time  for  every 
component  will  be  at  least  500  hours.  During  these 
tests  the  components  will  have  an  opportunity  to  fail 
and  be  replaced.  If  after  all  the  tests  the  component 
Is  still  functioning,  it  is  assumed  it  will  face  a 
constant  failure  rate  during  its  mission  life.  This 
assumption  means  the  exponential  distribution  will  be 
used  in  determining  a  component’s  survival  probability. 

The  physical  structure  of  the  satellite  will 
undergo  stresses  and  strains.  Throughout  the  analysis 
it  is  assumed  the  satellite  will  not  be  stressed 
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outside  of  its  design  envelope.  This  means  no  component 
will  experience  loads  greater  than  or  equal  to  its 
elastic  limit.  Additionally,  no  part  will  experience 
fatigue  failure  due  to  cyclic  mechanical  or  thermal 
stress  loading.  It  is  also  assumed  the  shared  stress 
environment  creates  associated  components.  The  concept 
of  association  will  be  addressed  later. 

All  basic  events  are  assumed  to  be  relevant  to  the 
event  tree.  This  means  each  basic  event  appears  in  the 
union  of  the  min  cut  sets.  A  formal  definition  of 
relevant  components  is  presented  in  Section  J  of  this 
chapter . 

D.  ADVANTAGES  OF  FAULT  TREES 

There  are  some  distinct  advantages  of  fault  tree 
analysis  that  make  it  particularly  suited  for  the 
reliability  analysis  of  ORION.  These  advantages 
Include : 

1.  the  clarity  of  subsystem  interrelation  is  ex¬ 
pressed  by  the  tree. 

2.  the  fact  that  the  tree  can  be  quantified. 

3.  enabling  the  analyst  to  focus  on  one  particular 
undesired  event  at  a  time. 

4.  for  constructing  meaningful  fault  trees,  the 
analyst  has  to  interact  with  the  designers  and 
operators  to  fully  understand  the  system.  The 
insight  obtained  during  this  process  is  of  major 
benefit  to  system  design,  since  weaknesses  are 
spotted  and  corrected  during  this  period. 

5.  the  graphical  representation  of  the  logic  struc¬ 
ture  provides  a  visual  tool  to  both  the  engineers 
and  management  and  is  useful  for  justifying 
design  changes  and  performing  trade  off  studies. 

6.  the  fault  tree,  being  in  essence  a  top-down 
failure  mode  and  effect  analysis,  lends  itself  to 


better  organization  and  control  than  the  conven¬ 
tional  failure  mode  and  effect  analysis.  Because 
of  the  top-down  approach ,  it  also  offers  more 
flexibility  in  terms  of  termination  at  any  hard¬ 
ware  level  as  well  as  selectively  exploring 
certain  critical  faults  in  greater  depth. 

7.  the  fault  tree  can  be  used  to  obtain  minimal  cut 
sets  which  define  the  modes  of  system  failure  and 
identify  critical  components.  [Ref.  7]  Minimal 
cut  sets  are  addressed  in  paragraph  G  of  this 
chapter . 


E.  DISADVANTAGES  OF  FAULT  TREES 

Though  there  are  some  general  drawbacks  to  fault 
tree  analysis,  these  shortcomings  do  not  adversely 
affect  the  analysis  of  ORION.  Fault  tree  analysis  can 
be  time  consuming,  expensive  to  produce,  and  include 
overwhelming  detail  for  large  or  complex  systems.  Since 
ORION  is  to  be  a  low  cost,  multi-purpose  bus,  a  fault 
tree  analysis  is  not  necessarily  complex  or  time 
consuming.  Another  general  drawback  is  it  requires 
considerable  effort  to  include  all  types  of  common 
cause  failures  in  the  fault  tree.  A  fault  tree  cannot 


readily  handle  priority  AND  gates  and  elements  in  cold 
standby.  A  priority  AND  gate  restricts  its  inputs  to  £ 
specified  sequence.  ORION  has  no  feature  requiring  a 
priority  AND  gate  and  has  no  component  in  cold  standby. 

F.  CONSTRUCTION  OF  A  FAULT  TREE 

There  are  three  groups  of  symbols  commonly  used  to 
construct  a  fault  tree.  The  three  groups  presented  here 
are  the  events,  the  logic  gates  and  some  special 
symbol s . 


1 .  Events 


Four  kinds  of  events  are  represented  by  the 
four  symbols  in  Figure  3.2.  A  circle  represents  a 
clearly  defined  failure  of  a  basic  component.  In  con¬ 
trast  to  the  exactness  represented  by  the  circle  is  the 
uncertainty  associated  with  a  diamond  event,  which  is  a 
failure  not  well  understood  because  of  absence  of 
information  or  significance.  Circles  are  called  primary 
events  and  diamonds  secondary  events.  Collectively  they 
are  called  bottom  events.  As  such,  they  are  on  the 
bottom  of  the  tree,  have  reliabilities  associated  with 
them,  and  represent  the  depth  of  resolution.  Normal, 
frequently  occurring  events  are  symbolized  by  a  house¬ 
shaped  figure.  An  example  is  the  satellite  being 
eclipsed  by  the  earth.  Without  sunlight  the  solar 
panels  will  not  generate  a  voltage.  Though  no  voltage 
is  considered  a  failure,  this  condition  is  not  the 
result  of  a  broken  panel.  Finally,  several  events 
combined  together  by  a  logic  gate  form  a  combination 
event  represented  by  a  rectangle.  Rectangles  are  called 
gate  events.  Gate  nodes  correspond  to  Intermediate 
events  while  the  top  node  corresponds  to  a  very  serious 
system  failure  event. 

2 .  Logic  Gates 

Many  different  logic  gates  are  used  to  combine 
events,  but  three  simple  ones  are  sufficient.  These 
three  (AND,  OR,  and  INHIBIT)  are  illustrated  in  Figure 
3.3.  Note  that  the  inputs  enter  from  below  and  the 
output  comes  from  the  top  of  the  gate.  The  AND  gate 
produces  an  output  if  all  the  inputs  exist  simulta¬ 
neously.  The  OR  gate  produces  an  output  when  at  least 
one  of  the  input  conditions  occur.  These  two  gates  are 
the  same  as  ordinary  usage  of  the  words  "and"  and  "or." 
The  INHIBIT  gate  produces  output  when  the  input  is 
present  and  a  specified  condition  exists.  In 


Basic  component  failure 


Circle 


Failure  undeveloped  due  to  lack  of 
information  or  lack  of  significance 


Diamond 


Normally  occuring  event 
probability  close  to  one 


House 


Combination  of  other  three  events 
does  not  appear  at  lowest  level 
of  tree 


Rectangle 


Ellipse 


Priority  description  or  restriction 
placed  on  the  gate  or  an 
indicator  of  multiple  components 


Figure  3.2  Events 
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words,  the  output  is  "inhibited"  by  lack  of  the  stated 
condition.  The  INHIBIT  gate  can  be  compared  to 
FORTRAN’S  logical  IF  statement.  The  FORTRAN  statement 
"IF  (A  .EQ.  B)  GOTO  1030"  states  that  if  the  condition 
A  equals  B  is  satisfied,  go  to  statement  number  1030. 
If  the  condition  is  not  satisfied,  continue  in  normal 
sequence . 

3 .  Special  Symbols 

Shown  in  Figure  3.4  are  three  special  symbols 
representing  parts  of  trees  used  to  reduce  redundancy. 
These  comprise  the  last  set  of  symbols  presented  for 
construction  of  a  fault  tree. 

The  hexagon  refers  to  another  fault  tree  which 
is  substituted  where  the  symbol  appears.  A  good  use  for 
this  symbol  would  be  when  a  particular  failure  needs 
further  definition.  The  detailed  tree  would  be  headed 
with  another  hexagon  and  bear  the  same  label  as  the 
hexagon  in  the  original  tree. 

To  repeat  another  portion  of  the  same  tree,  a 
pair  of  triangles  is  used.  The  portion  of  the  tree 
below  the  triangle  on  the  left  is  substituted  at  the 
point  where  the  triangle  appears  on  the  right. 

The  last  special  symbol  (an  ellipse)  indicates 
identical  components  either  in  series  or  parallel.  In 
this  case  only  one  component  is  mentioned  and  the 
redundancy  is  shown  by  an  ellipse  around  the  input.  The 
number  of  components  is  written  beside  the  symbol. 

G.  MINIMAL  CUT  SETS 

A  listing  of  minimal  cut  sets  (or  min  cut  sets  or 
MCS)  is  useful  for  design  purposes  by  helping  to 
determine  the  "weakest  link(s)"  in  the  system.  A  cut 
set  is  defined  as  any  set  of  primary  and  secondary 
events  whose  occurrences  cause  the  top  event  to  occur. 
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A  cut  set  Is  minimal  if  it  cannot  be  reduced  and  stil! 
ensure  the  occurrence  of  the  top  event. 

The  algorithm  used  to  identify  min  cut  sets  is 
based  on  the  fact  that  AND  gates  always  increase  the 
size  of  a  cut  set  while  an  OR  gate  always  Increases  the 
number  of  cut  sets. 

The  simplest  and  clearest  way  to  explain  the  min 
cut  set  algorithm  is  to  illustrate  its  operation  in  an 
example.  The  event  tree  for  Example  3.1  is  Figure  3.5. 

Examp  1  e  3.1: 

The  algorithm  begins  with  the  gate  immediately 
below  the  top  event.  If  the  gate  is  an  OR  gate,  each 
input  is  an  entry  in  separate  rows  of  a  list  matrix.  If 
the  gate  is  an  AN'D  gate,  each  input  Is  listed  in  the 
first  row  of  a  list  matrix.  Since  the  gate  Immediately 
below  the  top  event  in  Figure  3.5  is  an  OR  gate,  the 
construction  of  the  list  matrix  begins  with  inputs  1  . 
Gl,  and  2  in  separate  rows  as  follows: 

1 

Gl 

2 

Since  any  one  of  the  Inputs  can  cause  the  top  event  to 
occur,  each  will  be  a  member  of  a  separate  cut.  set. 

The  idea  of  the  algorithm  is  to  replace  each  gate 
by  its  input  gates  and  basic  events  until  a  list  matrix 
is  constructed,  all  of  whose  entries  are  basic  events. 
The  rows  will  then  correspond  to  cut  sets. 

Since  Gl  is  an  OR  gate,  Gl  is  replaced  by  its  input 
events  In  separate  rows  as  follows: 

1 

G2 
3 
2 

replaced  by  its  input  events  In 


3  n 


I.  i  kew  l  se  , 
sep.ara  t  e  rows  . 


G2  I  s 


Si  net*  all  inputs  to  an  AND  gate  must  occur  to  cause 
he  intermediate*  event  above  t he  AND  gate,  this  shows 
hat  an  AND  gate  increases  the  length  of  its  row.  An  OH 
/ate.  on  t  tie  other  hand.  Increases  the  number  of  rows 
in  tin-  list  ma  t  r  i  x  . 

Replacing  0.2  (which  Is  an  AND  gate)  by  its  inputs, 
'lu-  list  ma  t  r  i  x  becomes  : 


(.4  ,  05 
0 
2 

Replacing  04  by  its  inputs,  the  list  becomes: 


b,  0  5 
(it),  (if) 
M 


Continuing  until  tin*  list  contains  only  primary 
(Hilary  events  the  list  stops  with  these  (rearranged 


ut  sets: 


b  ,  <) 
5,10 
b  ,  1  1 
b  ,  1  2 
6  ,  ID 


V  ,  <) 

V  .  1  0 

V  ,  1  1 

V  ,  1  2 
7  ,  1  ) 


S  ,  <) 

S  ,  1  o 
H,  1  1 
S  .  1  2 
H  ,  ID 


In  this  example  basic  events  are  not  repeated.  If 
basic  events  are  not  repeated  all  of  the  cut  sets  are 
minimal  cut  sets.  This  means  no  one  cut  set 
contained  in  any  other  cut  set.  Oenerally,  if  basic 
events  are  repeated  in  the  tree*,  the  algorithm  does  not 
determine  only  min  cut  sets.  So,  when  basic  even’s  are 
repeated  somewhere  in  the  tree  the  list  matrix  must  to 
searched  to  eliminate  cut  sets  which  e  <>:.  •  a  i  n  other 
set..,,  [in'  final  list  will  then  contain  c  >n  .y  min  <  u  ' 


H.  MINIMAL  PATH  SETS 

The  dual  to  a  cut  set  Is  a  path  set.  Path  sets  art- 
identified  -Tough  the  dual  event  tree  and  consist  <>! 
the  events  necessary  to  make  the  system  function  rather 
than  fall.  To  draw  the  dual  event  tree,  replace  AND 
gates  with  OR  gates  and  OR  gates  with  AND  gates  In  the 

original  tree.  Each  event  must  also  be  replaced  with  a 

dual  description.  Failures  In  the  original  tree  become 
successes  in  the  dual  (new)  tree.  In  gene  r a  1  ,  the  dun  1 
basic  events  are  the  non-occurrence  of  the  original 
basic  events. 

As  In  the  cut  sets,  the  focus  is  on  the  minima: 

path  sets.  A  path  set  Is  minimal  If  It  can no'  he 

further  reduced  and  still  Insure  the  top  event  'now  a 
system  success).  Min  path  sets  are  determined  by 
applying  the  same  min  cut  algorithm  to  the  dual  1  new 
t  ree  . 

I.  PROBABILITY  EVALUATION  OF  FAULT  TREES 

To  build  the  mathematical  structure  necessary  ’■ 
derive  system  reliabilities  the  states  of  a  componer' 
mus*  first  be  defined.  To  indicate  the  state  of  the 
component  a  binary  Indicator  variable  x  j  Is  assigned  ». 
component  1  : 


w  t;e  re  1  -  1 .  n.  and  n  is  the  number  of  component 

lii  'he  system.  Additionally.  a  binary  variable 
■  a  *  e  s  the  fund  1  on  1  n  g  of  the  system: 

1  :  •  ni-  -.  c 


SI  roe  It  Is  assumed  that  the  state  of 
completely  determines  the  state 
system  state  can  be  represented  as 


t  he  eomponen  '  . 
system  t L * 


of 


the 


wher  e 


\  - 1  • 

The  function  IlX)  Is  called  the  structure  function  of 
the  system.  The  number  of  components  In'  In  the  system 
Is  called  the  o”der  of  the  system.  As  an  example,  the 
structure  function  of  a  series  of  n  components  Is 


Consistent  with  above .  '  (  X  )  Is  1  only  If  all  t  h< 

i  opponent  s  fund  Ion  . 

Similarly,  for  a  parallel  arrangement  of  ;.  (  om  p<  • 
s  ,  ’he  s'  rui  tun-  turn  t  ion  beoimes 


•ijulvaleiit  1  y 


LJ 


U 


!  r.  1  s  returns  a  value  of  1  If  t  here  Is  at  least  one 
:  nr.  <  *  ;  on  1  component  •  .  .  Ho  t  n  to > f  a  t  1  on  s  are 

•  ••nslstent  with  their  respective  usages  In  lot»lr  . 
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If  and  only  If  a t 
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s  funct  !• 

>n  .  This  struct  u  re 
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Ion 

1  s 

shown 

by 

rault  trees  with  AND  and  OH  vat  es  c  reate  s  t  rut  t  u  re 
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functions  which  are  coherent^ 
structure  (  ;  )  of  order  n 


Then  given  a  coherent 
rx 

LK 

i  =  1 


This  means  a  system’s  performance  Is  bounded  below  by  a 
series  representation  and  above  by  a  parallel 
representation.  [Ref.  8:  pp .  b-8] 

With  the  J  ^  (J  -  1 . p)  min  path  set  Pj,  we 

mav  express  a  structure  (called  the  minimal  path 

series  structure)  with  arguments 


he  s' ru<  lure 


is  binary 

and  takes  on 

the  value  1  If 

mt  s 

1  n 

the  j 

*  ^  m  1  n  path 

set  funct 1  on  . 

>n 

d*-p  lets 

a  path  set 

as  a  series 

t  he 

pa  t  h 

set 

1 s  elements. 

A  system  will 

at 

1  e  a  s  t 

one 

min  path  set 

funct 1  on  s .  The 

Jure  function  can  then  be-  written  as 


.■  =  1 

"'•ail.-  *  t»e  st  r  u<  t  u  re  function  can  be  viewed  as  a 

.  .  a  r  rangemen  *  of  the  path  sets.  This  is  commonly 

•  r  »mi  ’  a  >  a  pa  r  a  1  1  e  1  -  se  r  1  e  s  a  r  r  an  go  men  t  . 

i  r  !  v  ,  with  minimal  cut  sets,  the  structure 
■  :  '  r.  minimal  parallel  cut  structure  '  can  he 

>•  :  <t  rg  1 
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A  <  •  r.  e  ren  t  stru<  t  tire  being,  roughly,  one  whose 
rma.n  >  -  .joes  no  *  d .  ■  T  e  r  1  o  r  a  t  *•  when  failed  components 
.i.o  r >■  p  i  m i  *•  d  n y  t  un <  *  1  on l ng  one s  [Ref.  8  :  pp  .  1  d  1  ,  1  ‘12  j  . 


_  v\« 


which  is  binary  and  takes  on  the  value  0  when  all  the 
components  in  the  J min  cut  set  fall,  and  1 
otherwise. 

Since  the  system  will  fail  if  and  only  if  at  least 
one  of  the  min  cut  structures  falls,  the  structure 
function  can  be  viewed  as  a  series  arrangement  of  the 
cut  sets  with  the  elements  of  a  cut  set  arranged  in 
parallel.  Such  an  arrangement  can  be  expressed  as 


k 


Tl:!s  is  referred  to  as  a  series-parallel  arrangement. 

Initially,  the  components  are  assumed  to  be  statis¬ 
tically  Independent.  If  the  state  of  the  i^h  component 
is  random  (denoted  as  Xj  )  then 

/’  x  -  i  :  -  -  /•;:  x  ;  for  i  =  i .  .  n 

where  K [ X ]  means  the  expected  value  of  X.  The 
probability  that  i  functions,  p^,  is  referred  to  as  the 
reliability  of  component  i.  In  similar  fashion,  the 
reliability  of  the  system  is 

r  x  •-’.•  =  r  -  x. : . 

The  reliability  of  the  k-out -of-n  case  with 
identical  component  s  and  reliabilities  becomes  [Ref.  8 : 

pp.  20-21  ] 


The  preceding  formula  holds  under  the  assumption  of 
component  Independence.  In  reality,  this  is  not  usually 


the  case.  Independence  will  be  replaced  with  a  form  of 
positive  dependence.  Components  can  become  positively 
dependent  in  various  ways.  For  example,  if  a  subsystem 
has  several  like-components  and  one  of  them  fails,  the 
subsystem  remains  functional  because  the  remaining 
functioning  components  share  the  load.  Another  way 
positive  dependence  is  created  is  when  all  the 
components  are  subjected  to  the  same  stress  environ¬ 
ment.  The  components  of  ORION  fall  in  this  category.  If 
the  reliability  of  a  series  arrangement  of  independent 
components  is  calculated,  when  in  fact  they  are 
associated^,  the  resultant  reliability  will  be  an 
underestimate  of  the  true  reliability.  The  opposite 
holds  for  parallel  systems.  [Ref.  8:  pp .  29,32] 

The  following  mln-max  bounds  theorem  is  presented 
in  Reference  8,  page  37,  along  with  the  theorem’s 
proof . 

Let  ;  be  a  coherent  structure.  Let  ,  P2 , • . . .  Pp 
be  the  component  min  path  sets  corresponding  to  p 
and  let  ,  K2  ,  .  .  .  ,  be  the  component  min  cut  sets 
corresponding  to  ;>  .  If  components  are  associated, 

then  the  following  bounds  hold: 


a  r  ;) 


]  p  <  r\'\. IX;  =  l  !  < 


Another,  equivalent  relationship  can  be  expressed  in 
terms  of  -  1-p^.  The  above  bounds  now  become: 

.  ,  -  -p  ;  x;  =  i  .  •  x  ;  •  .  ,  , 


J.  IMPORTANCE  OF  BASIC  EVENTS 

There  are  two  kinds  of  component  Importance.  The 
first  Is  structure  Importance  and  the  second  is 

^Association  is  a  particular  form  of  positive 
dependence  [Ref.  8:  p.  150]  which  can  be  a  reasonable 
assumption  In  modeling  ORION. 


modeling  ORION. 


wq 
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reliability  importance.  Before  discussing  each  of 
these,  the  concept  and  definition  of  relevance  must  be 
established.  The  following  definition  will  be  used. 

The  1th  component  is  irrelevant  to  the  structure 
^  ,  if  ‘t*  is  constant  in  x ^  ,  that  is,  <t>(lf ,  x)  =  $(0  ,  x) , 

V(  •  x)  ^  Otherwise  the  it*1  component  is  relevant  to 
the  structure.  [Ref.  8:  p.4] 

The  structure  importance  of  a  component  focuses  on 
whether  or  not  a  component  changes  the  structure 
function  from  0  to  1  or  from  1  to  0.  In  essence,  the 
structural  importance  is  concerned  with  only  relevant 
components.  If  component  i  is  relevant,  then  the 
following  property  holds. 


X)  —  i  0  ,  X)  =  1 


for  some 


When  this  condition  exists  (llfx)  is  called  a  critical 


path  vector  for  i.  Let  n  (i) 

t> 


denote  the  total  number  of 


critical  path  vectors  for  i.  This  means 


n  it)  = 


<  X  X  =  l 


[<t>0(  ,  x)  -  ,  x)  ] 


This  is  also  the  same  total  number  of  critical  path 
sets  for  i.  [Ref.  8:p.  13] 

The  following  is  a  credible  measure  of  the 
structural  importance  of  component  i: 


/  fl!  = 


|  >{ji  1  ,  xi  —  <J)iO  ,  xl 


This  depicts  the  proportional  number  of  the  2n_* 
outcomes  which  have  x^-1  in  the  critical  path  vectors 
for  1.  As  a  result,  for  any  given  v  ,  the  components 


^  Notation 
i  1 


X  I  =  lx. 


I  0[  .  X  i  ■  (  X 

I  ,  X  )  *  (  X,  . 

I  I 


.  r  ,  .  1  .  X  , 

i-l  i  *  l 

.  I  .  0  .  x  , 

I-l  I  ♦  1 


1  ’  '  »  +  1 


may  be  ordered  (based  on  structural  Importance)  by 
ordering  /  1 1 ) . .  ,  Mni  [Ref.  8:p.  14] 

The  second  type  of  Importance  is  the  component’s 
reliability  importance.  This  takes  into  account  the 
component  reliabilities  as  well  as  the  system 

structure.  If  components  can  be  ranked  according  to 
their  Importance  to  the  system  reliability,  this 
ranking  information  can  be  helpful  in  determining  which 
components  should  have  the  highest  priority  for 

research  and  development.  This  allows  managers  to 
expend  effort  and  money  more  wisely.  [Ref.  8:p.  26] 

Intuitively,  it  would  seem  a  component’s 

reliability  importance  could  be  measured  by  observing 
the  rate  of  change  in  the  system’s  reliability  as  the 
component’s  reliability  changes.  The  reliability 
importance  Ir(l)  of  component  i  is  given  by 

/ Ji)  —  E\  4>(  1  ,  x)  —  <{>(0^  ,  x)  ]  . 

This  definition  holds  even  if  the  components  are 
associated.  [Ref.  8:  pp.  26-27] 


IV.  SYSTEM  RELIABILITY  ANALYSIS 


Using  a  copy  of  the  schematics  of  ORION'  (Appendix 

A)  and  maintaining  a  constant  interface  with  the 
designers,  the  ORION  fault  tree  was  developed  (Appendix 

B) .  Once  the  fault  tree  was  established  the  min  cut 
algorithm  was  applied  to  it.  This  algorithm  revealed  82 
minimal  cut  sets.  Of  these  cut  sets  22  are  single 
element  sets,  29  are  double  element  cut  sets,  27  are 
triple  element  cut  sets,  2  are  five  element  cut  sets,  1 
is  a  six  element  cut  set  and  1  is  an  eleven  element  cut 
set.  Once  these  cut  sets  were  established,  the  dual 
tree  was  constructed  and  the  min  paths  determined. 
There  are  33,890,503,680  distinct  paths,  of  which  the 
vast  majority  is  due  to  the  large  number  of  paths 
through  the  solar  strings.  In  general,  the  paths  are 
formed  by  combining  the  following  components: 

2  out  of  3  atti tude  detection  components 

sun  sensor 
earth  sensor 

1  out  of  4  magnetometers 
1  computer 

4  out  of  6  bubble  memory  cards  each  with 
functional  heater  strips  and  thermistors 
1  shunt  regulator 
1  out  of  2  batteries 
14  out  of  24  solar  strings 
4  solar  connectors 

3  out  of  4  momentum  wheels 

1  out  of  2  spin  up  thrusters  with  a  functional 
so  1 eno i d 

1  out  of  2  spin  down  thrusters  with  a  functional 
so  1 eno i d 
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1  out  of  2  nutation  thrusters  with  a  functional 
sol enoi d 

1  orbit  insert  thruster  with  a  functional  solenoid 

2  pyrotechnic  valves 

2  fill  and  drain  valves 
2  pressurant  tanks 

1  hydrazine  tank  with  functioning  heaters  and 
thermistors 

Hydrazine  line  intact  with  functional  heaters  and 
thermistors 

1  out  of  2  antennas  functioning  and  deployed 
1  comb iner / spl i tter  in  the  TT&C 
1  TT&C  transceiver 
1  TT&C  interface  hardware 
Pressurant  line  Intact 
1  heater  control  hardware 
1  bubble  storage  controller 
1  attitude  control  interface 
If  the  solar  strings  are  considered  as  a  single 
module,  the  number  of  paths  reduces  to  17,280.  Similar 
modular  reductions  can  take  place  when  a  subsystem 
consists  of  k  out  of  n  like-components.  All  but  the 
attitude  detection  subsystem  can  be  reduced  to  an 
equivalent  single  component.  This  reduces  the  final 
number  of  paths  to  three. 

The  three  reduced  paths  were  used  to  calculate  the 
structural  Importance  of  the  components.  The  calcula- 
t ions  reveal  seven  Levels  of  relative  importance  in  the 
following  hierarchy  (  l  being  t  Lie  most  relevant): 

!.  all  basic  components  except  those  listed  below. 
(A  detailed  list  is  given  in  Append i x  C  )  ; 

2  .  a  m>  'trie  n  t  urn  wheel: 

3.  a  bubble  memory  card  with  functioning  heaters  and 
t  berm  1 s  t  o  r  s ; 

4 .  a  solar  string: 

4  1 


5.  the  sun  sensor,  the  earth  sensor,  a  nutation, 
spin  up,  and  spin  down  thruster  with  their 
functioning  solenoids; 

b.  a  battery,  an  antenna,  a  hydrazine  tank  heater 
and  a  thermistor;  and 
7.  a  magnetometer. 

A  schematic  of  the  path  sets  is  at  Appendix  C. 

The  reliability  importance  cannot  be  specifically 
calculated  since  the  actual  hardware  for  several 
subsystems  has  not  been  defined.  A  Lotus  1-2-3 
spreadsheet  was  developed  so  the  designers  can  input 
component  reliabilities  as  the  subsystems  are  defined. 
The  spreadsheet  can  then  calculate  the  system’s 
reliability  boundaries  and  components’  reliability 
importance.  The  data  (i.e.  component  failure  rates)  for 
inclusion  in  the  spreadsheet  come  from  two  major 
sources,  JPL  TR  32-1505  and  MILSTD  217D.  The  spread¬ 
sheet  identifies  the  lower  boundary  as  the  most 
reliable  path  and  the  upper  boundary  as  the  least 
reliable  cut.  The  number  of  paths  to  compare  is 
significantly  reduced  by  using  a  modular  approach  (i.e. 
using  the  binomial  distribution  to  calculate  the 
reliability  of  a  k  out  of  n  subsystem).  Such  a 
reduction  allows  the  problem  to  be  handled  by  a 
spreadsheet.  Even  in  a  reduced  form,  the  model 
maintains  the  ability  to  discern  an  impact  on  the 
system  reliability  when  changing,  for  example,  only  a 
solar  string’s  reliability.  The  spreadsheet  is  then 
singularly  important  because  it  can  readily  do  this 
"what-if"  analysis. 
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V.  CONCLUSION 


A.  OVERALL  FINDINGS 

Throughout  the  analysis,  it  became  apparent  that 
the  fault  tree  is  a  "living"  document.  It  must  be 
maintained  to  reflect  the  existing  design  if  It  is  to 
aid  in  the  design  process.  The  fault  tree  can  help 
explain  the  cause  of  a  failure  after  design  is  complete 
and  the  system  is  on  station,  but  only  if  the  fault 
tree  reflects  the  current  design.  Aiding  in  the  design, 
and  determination  of  a  failure  after  system  employment 
are  strong  motives  to  maintain  the  fault  tree.  This 
thesis  includes  sufficient  background  so  maintenance 
can  be  done  to  insure  the  longevity  of  the  fault  tree. 

A  total  of  82  cut  sets  were  determined  and  the 
components  ’  structural  importance  derived.  The 
information  can  be  used  to  help  focus  research  and 
budget  efforts. 

Lastly,  a  spreadsheet  was  developed  to  model  the 
system’s  reliability  boundaries  as  well  as  component 
reliability  Importance. 

B.  RECOMMENDATIONS 

There  are  five  recommendations  based  upon  the  fault 
tree  analysis.  They  are: 

1.  as  each  subsystem  is  developed,  conduct  a 
detailed  fault  tree  analysis  of  that  subsystem. 

2.  after  a  subsystem  is  constructed,  conduct  a 

circuit  stress  analysis  of  each  component  and  the 
subsystem . 

3.  as  the  design  may  change,  maintain  the  fault 

tree. 

4.  for  electrical  components,  use  the  designing 

engineer’s  reliability  based  diagram  to  help 


construct  the  fault  tree.  If  a  diagram  Is  not 
available,  request  one  be  made. 

5 .  focus  research  and  budget  attention  on  those 
components  listed  with  the  highest  structural  and 
reliability  importance. 

Due  to  ORION’S  design  to  be  low  cost  and 
reconf Igurable,  ORION  is  an  excellent  candidate*  for 
constellation  proliferation.  A  logical  follow-on  study 
to  this  one  would  be  a  study  of  a  constellation’s 
reliability. 
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APPENDIX  A 

ORION  SUBSYSTEM  SCHEMATICS 


t'au  1 


The  enclosed  schematics  were  used  to 
t  tree  for  ORION. 


Figure  A  2  ORION  Subsystem  Summary 


Figure  A  3  thermal  Control  Subsystem 


5  Telemetry,  Tracking  and  Control  Subsystem 


Attitude  Control  Subsystem 


ge  Subsystem 


APPENDIX  B 

ORION  FAULT  TREES 


The  large  fault  tree  developed  is  broken  into  small 
sections  and  is  included  in  this  Appendix. 


I 


! 


I 

'  55 
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:  Thermstr 
failure 


Figure  B.2  Control  Fault  Tree 


Figure  B  3  Attitude  Detection  Fault  Tree 


Figure  B. 4  Propulsion  Fault  Tree 


B  7  Telemetry,  Tracking  and  Communication  f-ault  I  ree 


APPENDIX  C 

ORION  PATH  AND  CUT  SETS 


Use  of  the  min  cut  algorithm  produced  82  minimal 
cut  sets.  Their  basic  component  designation  am 
description  are  listed  below: 

Single  Element  Cut  Sets 
VI  Attitude  control  interface  electronics 
Y3  Data  storage  controller 
Y13  Heater  control  hardware 
Y14  Computer 
Y15  Shunt  regulator 

Y42  Propulsion  interface  electronics 

Y43  Hydrazine  line 

Y44  Hydrazine  line  heater 

Y45  Hydrazine  line  thermistor 

Y4fc>  Pressurant  line 

Y47  Hydrazine  tank 

Y52  and  Y53  Fill  and  drain  valve 

Y54  and  Y55  Pressurant  tank 

Y56  and  Y57  Pyrotechnic  valve 

Y66  Orbit  thruster 

Y67  Orbit  thruster  heater 

Y74  TT&C  combiner  splitter 

Y7 5  TT&C  transceiver  hardware 

Y76  TT&C  interface  hardware 

Double  Element  Cut  Sets 
Y2 ,  Y31  Sun  sensor  and  earth  sensor 


,vv 


■r: 


Y16,  Y17  Both  batteries 

Y23,  Y24  Two  solar  array  connectors 
Y36,  Y37  Two  momentum  wheels 

Y38,  Y39  Y38 ,  Y41  Any  pair  of  thrusters 


V  3  3  , 

Y  4  0 

Y  4  0  , 

Y  4  1 

(spin  up 

,  spin  down  or 

V  5  8  , 

Y  5  3 

Y  5  8  , 

Yb  1 

nu tat  ion 

)  disabled  1)  y  a 

Y  5  3  , 

YbO 

YbO  , 

Ybl 

comb  1 nat i on 

of  tiie 

.  62  , 

Y  6  3 

Y  b  2  , 

Yb  5 

thruster 

or 

its  heater 

Y  6  3  , 

Y  6  4 

Y  b  4  , 

Y  b  5 

failing 

and 

a  similar 

f  a i lure 

on 

the  coupled 

thruster 

• 

Y48  , 

Y50 

Y48  , 

Y  5  1 

Any  combination  of  the 

Y4  9  , 

Y5  0 

Y4  9  , 

Y  5  1 

heaters 

and 

thermi stor s 

on  the  hydrazine  tank. 


Y68  , 

Y71 

Y68  , 

Y7  2 

Any  combination  of  an 

Y68  , 

Y7  3 

Yb 9  , 

Y7  1 

antenna,  an 

antenna 

Y69  , 

Y7  2 

Y6  9  , 

Y7  3 

connector , 

or  antenna 

Y7  0  , 

Y71 

Y70  , 

Y7  2 

deployment 

with  the 

Y7  0  , 

Y7  3 

similar  events  of  the 

other  antenna. 


Triple  Element  Cut  Sets 

All  of  these  cut  sets  are  any  combination  of  a 
bubble  memory  card,  Its  heater  or  its  thermistor  with 
the  similar  events  on  any  other  two  bubble  memory 
cards  . 


Y  4  , 

Y  5  , 

Yb 

Y  4  , 

Y  5  , 

Y  9 

Y4  , 

Y  5  , 

Y12 

Y4  , 

Y8, 

Yb 

Y  4  , 

oo 

>- 

Y  9 

Y4  , 

Y8, 

Y  1  2 

Y  4  , 

Yll  , 

Yb 

Y  4  , 

Yll  , 

Y  9 

Y4  , 

Yll  , 

Y  1  2 

Y7  , 

Y  5  , 

Yb 

Y7  , 

Y  5  , 

Y9 

Y7  , 

Y  5  , 

Y  1  2 

Y7  , 

Y8, 

Yb 

Y7  , 

00 

Y  9 

Y7  , 

Y8, 

Y  1  2 

Y  7  , 

Yll  , 

Yb 

Y7  , 

Yll  , 

Y  9 

Y7  , 

Yll, 

Y  1  2 

Y  1  0 

,  Y  5  , 

Yb 

Y  1  0  , 

Y  5  , 

Y  9 

Y10 

.  Y  5  , 

Y  1  2 

Y  1  0 

,  Y8  , 

Yb 

Y  1  0  , 

Y8  , 

Y  9 

Y  1  0 

,  Y8  , 

Y  1  2 

Y  1  0 

,  Yll 

,  Yb 

Y  1  0  , 

Y  1  1 

.  Y  9 

Y  1  0 

,  Yll 

,  Y  1  2 

6  5 


Five  Element  Cut  Sets 


1 2 ,  Y32 ,  Y33 ,  Y34 ,  Y35 


The  sun  sensor  and  all 
four  magnetometers 


Y31,  Y32,  Y33,  Y34,  Y35  The  earth  sensor  and  all 

four  magnetometers 

Six  Element  Cut  Set 

Y18,  Y19,  Y20,  Y21,  Y22,  Y23  One  solar  array 
and  any  five  solar  strings  from  the 
remaining  18 

Eleven  Element  Cut  Set 

Y 1 8  ,  Y19,  Y20,  Y21 ,  Y22,  Y25 ,  Y26 ,  Y27 ,  Y28 ,  Y29,  Y30 
Any  combination  of  11  solar  strings  from  the  24 


The  following  components  were  determined  to  have 
the  highest  structural  importance. 

-  Computer 

-  Shunt  regulator 

-  Solar  array  connectors 

-  Heater  control  hardware 

-  Hydrazine  tank 

-  Hydrazine  line 

-  Hydrazine  line  heater 

-  Hydrazine  line  thermistor 

-  Pressurant  tanks 

-  Pressurant  line 

-  Fill  and  drain  valves 

-  Propulsion  Interface  electronics 

-  Orbit  thrus  ter 

-  Orbit  thruster  heater 

-  Attitude  control  Interface 

-  Data  storage  controller 


Path  Sets 


APPENDIX  D 

LOTUS  SPREADSHEET  LISTING 


The  enclosed  listing  of  a  Lotus  1-2-3  spreadsheet 
was  converted  to  a  MathPlan  3.0  format  for  Inclusion  in 
this  Appendix.  It  contains  the  elements  necessary  to  do 
a  "what-if"  analysis.  As  the  subsystems  are  designed 
anti  constructed,  their  reliabilities  can  be  placed  in 
the  spreadsheet  to  observe  the  subsystem’s  impact  on 
the  system’s  reliability. 
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(  1 - [ A  I  2  ]  )*(  1-[AK2]  )  ) 


1 - [ AK3 ]  )  ) 


(  1 - [  I  6  j  )  / [  16  ] 

[D29]«[D30  ]-[ D3  1  j 
AC3  * [ AB 1  ] 

[  131  ] 

[131] 

[  131  ] 

l-(  (  1 - [ AG2 ]  )*(1-[AI2])“(  1 - [ AK2 ]  )  ) 
[138] 

[120] 

[120] 

l-(  (  1 - [ 03  ]  )*( 1 - [ Q3 ]  )  ) 

( 1-[I9]  )/[I9] 

( 1-X[2]  )/X[ 2] 

AC4  * [ AB 1  ] 

AD4  +  ( AB3  *  AC  3  ) 

[131] 

[138] 

[139] 

l-(  ( 1-[AG3]  )*(  1  —  [ A  I  3 ]  )*(  1 - [ AK3 ]  )  ) 
[18] 

[19] 

[19] 

l-(  (  1  -  [  04  ]  )*(  1  -  [  04  ]  )  ) 

V5  *  [  V3] 

W5+U4  *  V4 
X[5]MX[3] 

Y5+[U]4hX4 
AC5  H [ AB1 ] 

AD5  +  ( AB4  *AC4  ) 

[131] 

[139] 

[139] 

l-( (  1-[AG4]  )-(  1-[AI4]  )-(  1-[AK4]  )  ) 
[D7] 

[116] 

[117] 

1  -  (  (  1  ~  [  0  5  ]  )*(  1  -  [  Q5  ]  )  ) 

V6*[ V3] 

W6+U5HV5 

X[6]“X[3] 

Y6+[U]5MX5 
AC6  * [ AB 1 ] 

AD6  + (  AB5  **  ACS  ) 

[131] 

[131] 

[139] 

l-(  ( 1 - [ AG5 ]  )M(  1 - [ A I  5  ]  )*(  1 - [ AK5 ]  )  ) 

EXP ( -[C]faM262S0  ) 

EX P ( -[H]b"26280  ) 


(  1-[AI4]  )•*(  1  -  [  AK4  ]  )  ) 


1  -  (  (  l-[Ob]  )  **  (  1  -  [  06  j  )  ) 

[ I  9 ] 6 
V  b 

X[ 2 ]~2 
X  6 

AC7  H [ AB 1 ] 

AD7+( AB6-AC6 ) 

[131] 

[138] 

[138] 

1 - (  (  1  - [ AG6  ]  )  * (  1 - L  A  I  6  ]  )  * (  1 - [ AKb  J  )  ) 
EX P  (  -  [  C  ]  7  **26280  ) 

EX P (  - [ H ] 7  *  2b 280  ) 

[D6] 

[D9] 

[09] 

l-(  (  1  - [ 07  ]  )»(  l-[07]  )  ) 

AC8  H [ AB 1 ] 

AD8+( AB7  *AC7  ) 

[131] 

[131] 

[138] 

l-(  (  1  -  [  AG7  ]  )*(  1  -  [  A I  7  ]  )**(  1  -  [  AK7  ]  )  ) 
EX P  (  - [ H ] 8  *  2  b  280  ) 

[018] 

[09] 

[013] 

l-(  ( l-[08]  )  *  ( 1 - [ 08  ]  )  ) 

AC9H[AB1  ] 

AD9  +  ( AB8*AC8  ) 

[139] 

[139] 

[139] 

l-(  (  1  -  [  AG8  ]  )**(  1  -  [  A  18  ]  )H(  1  -  [  AK8  ]  )  ) 
EX P ( -C9*26280  ) 

EXP ( -[H]9H26280  ) 

[  D33  ] 

[031] 

[031] 

l-(  (  1  - [ 09  ]  )“(  1-[Q9]  )  ) 

( 1 - [  I  2  0  ]  )/[  120] 

(  l-[ 118]  )/[ 118] 

AC10M[AB1] 

AD10  +  (AB9MAC9  ) 


ALO  -  1  -  (  (  1  -[  AGO  ]  )  -  l  1  -[  AI  0  ]  )  -  (  1  -[  AKO  ]  )  ) 

DIO  =  FX  P  (  -[  C  ]  1  0  -  2  o  2  8  0  ) 

1. 1  0  =  [  D3  4  ] 

010  =  f  I  38  1 

Q 1 0  =[130] 

RIO  =  l-(  (  1-[010]  )-l  1-1010  1  )  ) 

V  1  0  =  V  1  1  -  V  [  0  ] 

w  i  o  w  1 1  +  (  v  i  o  *  [  i;  ]  i  o  ) 

X  1  0  =  X  1  1  *  X  [  0  ] 

V  1  0  =  V  1  1  +  (  X  1  0  -  f  U  ]  1  0  ) 

Z  1  0  =  Z  1  1  +  (  Y  1  8  -  (  U  ]  1  0  ) 

AO  1  0  =  At:  1  1  -[  AB1  ] 

A D 1 0  =  ADI  l  +  ( AB10-AC10  ) 

AGIO  =[138] 

A  I  1 0  =  [13  0] 

AKlO  =  [130] 

ALIO  =  l-(  (  1-LAG10  ]  )-(  1  -  [  A  I  10  ]  )-(  1-[AK10  ]  )  ) 

Dll  =  F  X  P  (  -  [  C  ]  1  1 -26380  ) 

LI  1  =  [  D 1 7  ] 

Oil  =  [ D13] 

Oil  -  [ D 1 3  j 

Rll  -  1  - (  (  1  - [ 0  1  1  ]  )-(  1 —[Oil  ]  )  ) 

VI 1  =  V 1 2  -  V [ 0] 

w  1  1  =  W 1  2  +  (  V  1  1  -  [  U  ]  1  1  ) 

XI 1  -  X12-X[0] 

VI 1  -  Y12  +  (X11*[U]11  ) 

ZU  =  Z12  +  (Y19-[U]11) 

AC  1 1  =  AC12"[ A31  ] 

ADI  1  =■  AD12  +  (  AB1 1  -ACl  1  ) 

AG 1 1  -  [138] 

AI 1 1  =  [138] 

AK11  =  [139] 

ALII  =  l-(  ( 1-[AG11]  )-( 1-[AI11]  )-( 1-[AK11]  )  ) 

L 1 2  -  [130] 

012  =  [ D3 0  ] 

012  =  [D31] 

R12  =  l-(  (  1-[012]  )-( 1-[012]  )  ) 

V 1 2  =  V13-V[9] 

W 1 2  =  W13+( V12*[U]12  ) 

X 1 2  =  X13-X[9] 

Y 1 2  =  Y13+(X12-[U]12) 

Z 1 2  =  Z 1 3  +  ( Y20*[U]l2  ) 

AC  1 2  =  AC  1 3  - [ AB  1  ] 

AD  1 2  -  AD13  +  ( AB12-AC12  ) 

D 1 3  =  EXP( -[ C] 13-26280  ) 


AD  1 7  -  AD18+(AB17*AC17  ) 

D 1 8  -  EXP( -[ C ] 18-29280 ) 

I  18  =  EXP ( -[H]l8-2b280  ) 

L  1  8  =  [  D23 1 

V 1 8  =  V  1  9  -  V  [  lb  ] 

W18  =  W1  9+(  U  1 8  -  V 1 8  ) 

V  1 8  =  Y  1  9  -  Y  [ 17] 

AC  1 8  =  AC  1  9 - [  AB  1  ] 

A D 1 8  =  AD19  +  ( AB1S-AC1S  ) 

D19  =  EXP  (  —  [  C  ]  1  9  **  2b2S0  ) 

119  =  EXP  (  -  [  H  ]  19-29280  ) 

L 1 9  =  [ D32  ] 

VI 9  =  V20-V[lbj 

W19  =  W2  0  +  (  U 1  9  -  V 1  9  ) 

V  1  9  =  Y  2  0  *  Y  [  1  7  ] 

AC  1  9  =  AC2 0  -  [ AB 1  ] 

A D 1 9  -  AD20  +  ( AB19-AC19  ) 

D20  =  EXP(  -  [C]20**2628Q  ) 

120  -  EXP(  -[H]20-29280  ) 

1-20  =  [D20] 

V  2  0  =  V2 1  *  V [ 16j 

W2  0  -  W21  +  (  U  2  0  -  V  2  0  ) 

V  2  0  =  Y  2  l  -  Y  [  1 7  ] 

A  C  2  0  =  AC2 1  - [ AB 1  ] 

AD20  -  AD21+( AB20-AC20  ) 

A(>2  0  =  LOOKUP  ([Jb],[AA33]:[AD51  ] 

A  120  =  LOOKUP ( [ J 7  ]  , [ T 1 0 ] : [ Z 1 4  ]  ) 

A  1-2  0  -  1  -(  (  1-[AI20]  )-(  l-[  A020  ]  )  ) 

AN 2  0  -  [ B84  ] 

A  P2  0  =  M  I  N  (  [  L30  ]  :  [  L7f>  ]  ) 

D2 1  -  EX P (  -[C]21-2b280  ) 

V  2  1  -  V  2  2  *  V  f  1  b  J 

W2 1  =  W22  +  ( U21 " V2  1  ) 

V  2  1  =  Y  2  2  -  Y  [  1  7  ) 

A  C  2  1  =  A  C  2  2  -  [  A  B  1  ] 

AD21  =  AI)22  +  ( AB2  1  -  AC2  1  I 

A(>2  1  =  LOOKUP!  [  Jb  ]  .  [  AA2  ]  :  |  AD2b  ]  ) 

A  1.2  1  =  [  AG2  1  ] 

A  \  2  1  -  [  A  5  5  ] 

022  =  E  X  P (  - (  C  ]  2  2  -  2  9  2  3  0  » 

V  2  2  =  V  2  3  -  V  [  1  9  ] 

W22  -  W  2  3  -t-  (  U  2  2  "  V  2  2  ) 

V  2  2  =■  [17)^4 

A  ( ’  2  2  -  A  C  2  3  -  |  A  B  1  1 

A  1)2  2  -  A  D  2  3  •*-  (  A  B  2  2  -  A  (  2  2  ) 

AN 2 2  =  [  055  ] 

A  P 2 2  -  [  K30  ] 

U23  =  EXP(  -[  C  ) 2  3  -  2  9  2  SO  i 

V 2 3  =  [X  lb  ]~9 


W2  3 

- 

V  2  3 

AC23 

- 

A 0 2 4  * [ AB 1  1 

A  D2  3 

= 

A  0  2  4  -t-  (  AB23-AC23  ) 

AC  2  4 

= 

AC 2 5  -  [ A 3 1  ] 

A  1)24 

= 

A 0 2 5  +  ( A B 2 4 *AC24  ) 

125 

= 

K  X  P  (  -[  H  ]  2  5  *  2 1>  2  8  0 

AC2  5 

= 

A  C  2  b  *•  T  A  B  1  ] 

A  D2  5 

A  0  2  b  -t-  (  A  B  2  5  "  A  C  2  5  ) 

V2  b 

[  03  ]  * [ 01 3  | 

X  2  b 

= 

[  D1  0  ]  *•  L  01  4  1 

Z  2  b 

= 

01 1*015 

A  C  2  6 

= 

[  I  fa  ]  ~  2  4 

A  D2  b 

- 

AB2b*AC2b 

V  2  7 

(  1  -  V  2  b  )  /  V  2  b 

X  2  7 

= 

(  1 -X2b  )  / X2b 

Z  2  7 

= 

(  1  -  Z  2  b  )  Z  2  b 

V  28 

= 

V23*V[ 27  ] 

W2S 

W  2  3  +  (  U  2  8  *  V  2  8  ) 

X  2  8 

= 

X  2  3  *  X [  27  ] 

Y  28 

Y 2 3 -•-  (  [  U28  ]  *X28  ) 

Z28 

Z 2  0  "  Z [  27  ] 

AA28 

- 

A  A  2  3  +  (  [ C28  ]  *Z28  ) 

1)2  3 

K  X  P  (  -[  C  ]  2  3  *  2  b  2  8  0 

V  2  3 

V  3  0  *  V [ 2  7  ] 

W  2  3 

- 

V  3  0  +  ( U2  3  *  V  2  3  ) 

X  2  3 

= 

X  3  0  *  X [  2  7  ] 

V  2  3 

= 

Y 3 0  + (  [ U 2 3  ]  -X23  ) 

Z  2  3 

= 

Z  3  0  *  Z  f  2  7  ] 

AA2  3 

= 

A  A  3  0  +  (  [  U  2  3  |  *  Z  2  3  t 

03  0 

= 

EX  P  (  -(  C  )  3  0  *  2  b 2 8 0 

1.3  0 

= 

[  18  ] 

V3  0 

= 

V2b/'2 

W  3  0 

ss 

V  3  0 

X  3  0 

- 

X  2  b  ^2 

Y  3  0 

X  3  0 

Z  30 

- 

Z  2  b  "  2 

A  A  3  0 

= 

Z  3  0 

I  3  1 

= 

E  X  P (  -[ H  ]31 *26280 

1.3  1 

[  I  38  | 

03  2 

- 

EX  P (  -  [  C  )  32  *  2  6280 

I  3  2 

= 

E X  P (  -f  H  132*26280 

1.3  2 

- 

(  ov  1 

03  3 

= 

E  X  P (  -(  C  13  3*26280 

1.33 

- 

I  132  ] 

A  0  3  3 

= 

AC34 “ 1 AB 1  j 

034 

= 

EXP  (  -  |  C  1  34  *  2  <>  2  S  0 

1.3  4 

1  Ob  ] 

AC  3  4 

= 

AC 3 5  * l AB 1  | 

A  O')  4 

= 

A  0  3  5  +■  (  A  B  3  4  *  A  C  3  4  ) 

o 


AC  3  5 

- 

A C  3 1>  »  [  AK  1  j 

:  A  I)  3  5 

= 

A I )  3 1  >  -  i  ABC-"  A  ( 

' 

|  I  3  b 

= 

|  1)3.3  j 

1  AC  3b 

A  (  3  7  “|  AB 

AD'in 

= 

A  1)3  .  \  A  5  i  1 1  -  A  i 

it, 

1.37 

= 

1  1)34  1 

AO  37 

= 

AC3S" | AB : ; 

A  1)3.' 

= 

ABBS- i  AB't  -At 

) 

,  13S 

= 

KXIM  -  [  H  ]  is- At 

)  A  s  ( i 

1  L3S 

= 

1  I)  1  1 

AC  33 

- 

At  3')  “  1  AB  1  ! 

AD3S 

- 

A  1)3 3  (  ABBS-Ai 

‘  i  s 

1  3  3 

= 

KX  l1  (  - 1  H  ]  3 ‘ i  »  3 1 

u.!MI 

1.3') 

- 

1  -  (  (  1  -  |  A  ( i  1  : j  I  : 

**  i 

A  c  3  3 

= 

A  C  4  0  "  [  A  B  1  ] 

j  A  1)3 ') 

= 

A  1)4  Of  (  AB3')  «  At 

AA  ) 

1  4  0 

= 

K  X  I>  <  -  [  H  1  4  0  “  3  n 

^SO  i 

1.4  0 

= 

[  I  33  ] 

AC  4  0 

- 

AC4 1  -  [  AB 1  | 

A  I)  4  0 

= 

A  1)  4  1  +  (  A  B  4  l)  “  A  c 

4  0  ■ 

,  1.4  1 

- 

I  14  0] 

A  C  4  1 

- 

A  C  4  3  -  [  A  B  :  ; 

A  1)4  1 

= 

A  1)4  3-  l  AB4  I  -  At 

•t  4 

1.4  3 

= 

I  !  I'M 

A  C  4  3 

= 

At  4  3  -  |  AB  1  ; 

A I)  4  3 

= 

A  1)4  3- (  A  B4  3 -At 

4  A.  ' 

1.4  3 

= 

1  -  (  (  1  -  [  A  !  :  b  ]  < 

**  ,  1  - 

1  AC 4  3 

= 

AC 4  4  **  (  A  K  1  1 

A  1)4  3 

= 

A  1)44-1  A  B  4  3  -  A  t 

4  4  ) 

1.44 

= 

l  D3  1  ] 

AC 4  4 

- 

AC4  5  -(  AB 1  1 

A  1)4  4 

= 

A I)  4  :>  -  (  A  B  4  4  •*  A  ( 

•*  4  i 

,  B4  5 

- 

(Mb] 

1.4  5 

= 

i  -  (  (  i  -  ( t )  r»  j  )  -  • 

i  •  i  u 

AC 4  5 

= 

A  C  4  b  *  [  A  B  1  ] 

A I)  4  5 

= 

A  f)  4  b  -  (  A  B  4  •>  -  A  C 

4.3  i 

H  4  b 

LOOKUP (  [  J  1 s  ]  . 

|  T  1  t) 

1.4  b 

- 

1  13  5] 

A  C  4  b 

A  C  4  7  M  [  A  B  1  ] 

A I)  4  b 

A  1)4  7  +  (  A B 4  o  "  A  ( 

4  b 
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[  B  4  5  ]"!  B  4  b  ] 
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1  D1  3  j 
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(  I  1  V  ] 
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= 
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- 

a  ;  i  ■  > 
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L68  =  l-((l-[AGb]  )**(l-[AIb]  )*(  1  -  [ AKb  ]  )  ) 

Bb9  =  [D19]~2 

Lb  9  =  1  -  (  (l-[01b]  )**(  1  —  [  Q  1  b  )  )  ) 

B70  =  [140] 

L70  =  1  -  (  (  1  -  [  A  G  8  ]  )  *  (  1  -  [  A  I  S  ]  )  *  (  1  -  [  A  K  S  ]  )  ) 

B7 1  =[119] 

L71  =  l-(  ( 1-[AG3]  )"(  1-[AI3  ]  )“(  1 -[ AK3  ]  )  ) 

B72  =  [D21] 

L72  =  l-(  (  1-[AG4  ]  )«(  1-[AI4  ]  )-(  1-[AK4  ]  )  ) 

B73  =  [125] 

L73  =  1  -  (  (  1  -  [  AG7  ])*(1-[AI7]  )*(,!-[  AK7  ]  }  ) 

B74  =  LOOKUP ( [E9]  ,[T28]:[AA30]  ) 

L74  =  1-v  ( 1-[AG5]  )-(  1-[AI5]  )  “  (  1-[AK5  ]  )  ) 

B75  =  [ D32  ] 

L75  =  l-(  (  1-[AG2]  )“(  1-[AI2]  )-(  1-[AK2]  )  ) 

B7b  =  [D23] 

G7b  =  LOOKUP ( [ Jb ]  , [ AA2 ] : [ AD2b  J  ) 

B77  =  [D22]~2 

G77  =  [ I  7  ]  ^4 

B7  8  =  LOOKUP ( [ J  9 ] , [T4] : [Vb  ]  ) 

G7S  =  [ G7 b ] * [ G7 7  ] 

B  7  9  =  [D20]^2 

B80  =  LOOKUP (  [ J  3  1  1  ,  [ T1 7 ] : [ V23  ]  ) 

BS1  =  LOOKUP ([ E29 J , [T4 ]:[ Vb ]  ) 

G81  =  LOOKUP ([Jb],[AA33]:[AD51  ]  ) 

G82  =  LOOKUP ([J7],[T10]:[Z14]) 

G83  =  [  G8  1  ]  **  [  G82  ] 

B84  =  B55HB5b**B5  7*‘B58HB5  9,,Bb0’'BblHBb2**Bb3HBb4'‘Bb5“ 

Bbb*Bb7*Bb8"Bb9"B70*B7  1*B72*B7  3»B7  4*B7  5,*B7<>“ 
B77-B78-B79-B80-B81 
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